I remember my crypto professor mentioning batching attacks against RSA, but he didn’t spend much time on it. It’s good to be reminded of it, especially in the context of the Logjam attack and its response (which he addresses near the end). Effectively, the Logjam attack was feasible because batch attacks on non-elliptic DH were feasible. If the batch attack was too slow, then clients would have dropped their connection before the attacker could compute their shared secret.